Executive Summary

This vulnerability exists in Crypt::ScryptKDF versions through 0.010 for Perl, where the module uses an insecure random number source if no cryptographically secure pseudorandom number generator (CSPRNG) module is available.

Specifically, the random_bytes function falls back to using Perl's built-in rand() function when none of the secure random modules such as Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure are present.

Since rand() is not cryptographically secure, this fallback results in weak randomness, which can compromise the security of cryptographic operations relying on this module.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that cryptographic keys or other security-critical values generated by Crypt::ScryptKDF may be predictable or guessable due to the use of an insecure random number source.

This can lead to weakened encryption, making it easier for attackers to break the cryptographic protections, potentially resulting in unauthorized data access or compromise.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, ensure that a cryptographically secure pseudo-random number generator (CSPRNG) Perl module is installed and available.

• Install one of the following Perl modules: Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure.
• Upgrade Crypt::ScryptKDF to a version later than 0.010 where this fallback to insecure rand() is fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves the use of an insecure random number source in Crypt::ScryptKDF versions through 0.010 for Perl when no CSPRNG module is available. This weakness (CWE-338) could undermine the security of cryptographic operations.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the use of weak cryptographic primitives can potentially lead to non-compliance with these regulations, which require strong data protection measures.

Therefore, this vulnerability could negatively impact compliance with common security standards and regulations that mandate the use of secure cryptographic methods to protect sensitive data.

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability on your system, you should check the version of the Crypt::ScryptKDF Perl module installed and verify whether it is version 0.010 or earlier.

Additionally, you should check if any of the recommended CSPRNG modules (Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure) are installed. If none of these modules are present and the Crypt::ScryptKDF version is vulnerable, your system is at risk.

Suggested commands to detect the vulnerability include:

• Check the installed version of Crypt::ScryptKDF: perl -MCrypt::ScryptKDF -e 'print $Crypt::ScryptKDF::VERSION . "\n";'
• Check if recommended CSPRNG modules are installed, for example: perl -MCrypt::PRNG -e 1; perl -MCrypt::OpenSSL::Random -e 1; perl -MNet::SSLeay -e 1; perl -MCrypt::Random -e 1; perl -MBytes::Random::Secure -e 1

If the version is 0.010 or earlier and none of these modules load successfully, the system is vulnerable.

Useful 0 Not Useful 0